Privileges are access controls which can be grouped together to form a Role.

A Permission is a Role (a group of privileges) which has been assigned to a user or group and applied to a vCenter Inventory object. Permissions are assigned using the Web Client -> vCenter Object -> Manage -> Permissions

Permissions can be assigned to users or groups authenticated through Single Sign-on (SSO).

From Web Client -> Home -> Roles selecting a Role and selecting Usage will display where the Role has been applied and for which users/groups.

– Describe how permissions are applied and inherited in vCenter Server

Global permissions can be assigned in the Web Client -> Home -> Administration -> Global Permissions. Global permissions apply to all objects in the inventory hierarchies of the environment. If you de-select Propagate to children, the users or groups associated with the Global permission will not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.

Permissions can be applied directly to the object or propagated to children.
The View Children link shows all the children the permission will apply to if the Propagate to children checkbox is selected.

If a user is assigned to more than one group and the groups are assigned different permissions on the same object the user has the combined privileges contained in the roles. Example vSphere Security Guide Section 4, page 116.

Permissions applied to a Child object override the permissions applied to the parent object. If a user is assigned the Administrator role on the vCenter object which has been set to propagate to children and the same user is assigned the No Access Role on a hosts in the vCenter inventory. The No Access Role will be applied to the host and, if set to propagate, its children. Example vSphere Security Guide Section 4, page 116.

A user role overrides a group role. For example if user is a member of a group which has the Administrator Role applied on a object and a permission as been assigned to the user with the No Access Role on the same object the user permission take precedence. Example vSphere Security Guide Section 4, page 117.

Viewing permissions shows the User/Group, Role, and where the permission is defined – Global Permission, This object and its children, This object, or the Parent Object where the permission has been defined.

A list of User/Group Roles can be exported to a CSV file or copied to the Clipboard.
Tip: Ctrl + Click copies the selected permissions to the clipboard.

This is interesting: Changes to licenses propagate to all vCenter Server systems that are linked to the same Platform Services Controller or to Platform Services Controllers in the same vCenter Single Sign-On domain, even if the user does not have privileges on all of the vCenter Server systems.

vHersey

Hersey Cartwright is an IT professional with extensive experience designing, implementing, managing, and supporting technologies that improve business processes. Hersey is Solutions Architect for HPE SimpliVity covering Virginia, Washington DC, and Maryland. He holds the VMware Certified Design Expert (VCDX-DV #128) certification. Hersey actively participates in the VMware community and was awarded the VMware vExpert title in 2016, 2015, 2014, 2013, and 2012. He enjoys working with, teaching, and writing about virtualization and other data center technologies. Follow Hersey on Twitter @herseyc